Data at rest is encrypted according to GitLab policy.
Encryption is a process in which data is encoded so that it remains hidden from or inaccessible to unauthorized users. It helps securely protect data that you don't want anyone to have access to. By encrypting our data at rest, we can better protect private, proprietary and sensitive data and can enhance the security of communication between client applications and servers. Encrypting sensitive data at rest also adds another roadblock and layer of complexity for the adversary and helps protect customer, employee, and partner data.
This control is applicable to the production environment and any end user devices that store such data. The production environment includes all endpoints and cloud assets used in hosting GitLab.com and its subdomains. This may also include third-party systems that support the business of GitLab.com
Non-public information relating to this security control as well as links to the work associated with various phases of project work can be found in the Encryption of Data at Rest control issue.
Examples of evidence an auditor might request to satisfy this control:
This control can be tested by verifying the at-rest encryption status for any production resources. For compute instances, this can be done by verifying the compute resource's drive encryption status. For other resources such as managed databased (e.g., RDS and CloudSQL), this can be done by verifying the at rest encryption status through the resource's dashboard or other summary. For vendors such as GCP who encrypt data at rest by default, consider providing vendor's documentation showing the default at rest encryption.